Security Event Management with Tivoli - IBM · PDF fileSecurity Event Management with Tivoli...
-
Upload
trinhtuyen -
Category
Documents
-
view
231 -
download
0
Transcript of Security Event Management with Tivoli - IBM · PDF fileSecurity Event Management with Tivoli...
Security Event Management with Tivoli Security Operations Manager
Matthew PrinceAdvisory IT Specialist
Managing data within a complex multi-vendor infrastructure
Recognizing and handling business relevant incidents
Enforcing security policies and real-time detection of violations
Supporting audit and regulatory compliance initiatives
Optimizing limited security resources
Security Event Management Challenges
What is a SEM/SIM/SIEM ?SEM – Security Event ManagerSIM – Security Information ManagerSIEM – Security Information and Event Manager
“neuSECURE [TSOM] automates the aggregation and correlation process. It mitigates false positives and alerts my team to real threats in a timely manner. The product is more or less what I would have designed and built myself, given four years and a pool of developers.”
– Jeff Hartley, Cox Communications
Tivoli Security Operations Manager
Computer Human
Aggregate Contextualize Correlate Evaluate Remediate
Tivoli Security Operations ManagerSecurity Event Response Continuum
Where do you draw the line?
Frequency
Event Class
Even
t Cla
ss
Domain
Frequency
Freq
uenc
y
Consolidated Dashboard View
Tivoli Security Operations Manager
Simple
Scalable
Solution
Tivoli Security Operations ManagerSimple•Can be installed on a single computer in less than an hour / POC in ½ a day•Agentless architecture•Statistical correlation works with little tuning
Scalable•Several customers with over 1,000 events per second (up to 5000 peak)•Rated to 10,000 eps in the lab•MSSP / Carrier Class
Solution•Log aggregation and storage•Reporting on existence and effectiveness of internal controls •Real-time monitoring of internal controls•Incident response plan•SOC/NOC integration
TSOM - Architecture
TSOM - ArchitectureAggregation &
Normalization
TSOM - ArchitectureContextualisation &
Correlation
TSOM - ArchitectureVisualisation
Notification
Reporting
Four Stage Correlation Process
Statistical Threat Analysis• Detecting unknown attacks• Detecting anomalous behavior• Out of the box benefit!
Rules-based Correlation• Detecting misuse • Enforcing security policies • Simple rules to complex, multiphase
stateful rules
Complimentary techniques for scalable incident recognition and precise policy enforcement
Susceptibility Correlation• Raises visibility of threats against susceptible host• Reduces noise of threats against non-susceptible
hosts
Vulnerability Correlation• Mapping of specific detected threats to specific
known vulnerabilities
Tivoli Security Operations ManagerSimple•Can be installed on a single computer in less than an hour / POC in ½ a day•Agentless architecture•Statistical correlation works with little tuning
Scalable•Several customers with over 1,000 events per second (up to 5000 peak)•Rated to 10,000 eps in the lab•MSSP / Carrier Class
Solution•Log aggregation and storage•Reporting on existence and effectiveness of internal controls •Real-time monitoring of internal controls•Incident response plan•SOC/NOC integration
DatabaseOracle or MySQL
neuSECURE CMS(Central Management System )
Linux or Solaris2 x CPU / 2GB RAM / 250+GB Fast HDD
Data Center
neuSECURE EAM(Event Aggregation Module )
Typically Linux 2xCPU / 2GB RAM / 100GB HDD
Typical Distributed neuSECURE Deployment
Unix ServersSyslog
Windows ServersUniversal Collection Module (UCM) NIDS/NIPS
Syslog /Cisco IDSFirewalls
Check Point OPSEC /SNMP/Syslog
Router/SwitchSNMP
`
neuSECURE ConsoleWeb Browser / Java
neuSECURE EAM(Event Aggregation Module )
Typically Linux 2xCPU / 2GB RAM / 100GB HDD
Dallas
neuSECURE EAM(Event Aggregation Module )
Typically Linux 2xCPU / 2GB RAM / 100 GB HDD
PhoenixneuSECURE EAM
(Event Aggregation Module )Typically Linux
2xCPU / 2GB RAM / 100GB HDD
ChicagoneuSECURE EAM
(Event Aggregation Module )Typically Linux
2xCPU / 2GB RAM / 100GB HDD
New York
Security Domains - partitioning of security data, access & control into logical zones mapped to your internal organization requirements & practices
Support for multiple overlapping IP RangesModular design handles high event rate analysis and optimal
storage with a high availability optionPervasive, granular roles-based accessAutomated, comprehensive auditing of TSOM system, operators,
and actionsBrowser-based interface for simple deployment and
anytime/anywhere access Agentless, low-impact deployment
TSOM – Multi-Domain Architecture
TSOM-Deep/Broad Device Support
Access and Identity ManagementAccess and Identity ManagementIBM Tivoli Access ManagerIBM Tivoli Access ManagerIBM Tivoli Identity ManagerIBM Tivoli Identity ManagerCA CA eTrusteTrust AccessAccessCA CA eTrusteTrust Secure Proxy ServerSecure Proxy ServerCA CA eTrusteTrust SiteminderSiteminder ((NetegrityNetegrity))RSA RSA SecureIDSecureID RADIUSRADIUSOracle Identity Management (Oracle Identity Management (OblixOblix))Sun Java System Directory Server Sun Java System Directory Server Microsoft Active DirectoryMicrosoft Active DirectoryCisco ACS Cisco ACS Microsoft Active DirectoryMicrosoft Active Directory
Wireless SecurityWireless SecurityAirMagnetAirMagnetAirDefenseAirDefense
Management SystemsManagement SystemsTSOM escalates toTSOM escalates to::Tivoli/Tivoli/NetcoolNetcoolIBM/Tivoli Enterprise ConsoleIBM/Tivoli Enterprise ConsoleCisco Information CenterCisco Information CenterRemedy ARSRemedy ARSHP OpenView HP OpenView CA Unicenter CA Unicenter
Management SystemsManagement SystemsSource of events into TSOM:Source of events into TSOM:Tivoli/Tivoli/NetcoolNetcoolCheck Point ProviderCheck Point Provider--11CiscoWorksCiscoWorksISS RealSecure SiteProtectorISS RealSecure SiteProtectorJuniper Global Pro (Juniper Global Pro (NetscreenNetscreen))Juniper NSM (Juniper NSM (NetscreenNetscreen))Tripwire ManagerTripwire ManagerIntrusion, Inc. SecureNet ManagerIntrusion, Inc. SecureNet ManagerMcAfee McAfee ePOePONortel Defense CenterNortel Defense CenterSourcefire Defense CenterSourcefire Defense CenterQ1 Q1 QRadarQRadar Mgmt ServerMgmt Server
ApplicationsApplicationsIBM IBM WebSphereWebSphereLotus DominoLotus DominoApacheApacheMicrosoft IIS Microsoft IIS OracleOracle
Operating Systems Logs, Logging Operating Systems Logs, Logging PlatformsPlatformsAIX (IBM) AIX (IBM) RedHatRedHat Linux Linux Solaris (Sun) Solaris (Sun) SuSESuSE Linux Linux HP/UX HP/UX Microsoft Windows Event LogMicrosoft Windows Event Log(W2K3 DHCP, W2K DHCP, IIS)(W2K3 DHCP, W2K DHCP, IIS)Microsoft SNMP Trap SenderMicrosoft SNMP Trap SenderNokia IPSONokia IPSONovell NetWare Novell NetWare OpenBSDOpenBSDTru64Tru64Tripplight UPSTripplight UPSMonitorwareMonitorware SYSLOG SYSLOG KiwiSyslogKiwiSyslog
AntivirusAntivirusCipherTrust IronMail CipherTrust IronMail McAfee Virus Scan McAfee Virus Scan Norton AntiVirus (Symantec)Norton AntiVirus (Symantec)McAfee McAfee ePOePOTrend Micro InterScanTrend Micro InterScan
Application SecurityApplication SecurityBlue Coat ProxyBlue Coat ProxyNortel ITM (Intelligent Traffic Mgmt)Nortel ITM (Intelligent Traffic Mgmt)Teros APSTeros APSSentryware HiveSentryware HiveNortel Application Switch (Nortel Application Switch (AlteonAlteon))
Discovery ToolsDiscovery ToolsLumetaLumeta IPSonarIPSonarNMAPNMAPSourcefireSourcefire RNARNA
Network Intrusion Detect/PreventionNetwork Intrusion Detect/PreventionMcAfee McAfee IntrushieldIntrushieldSourcefireSourcefire Network SensorNetwork SensorSourcefireSourcefire RNARNAJuniper IDPJuniper IDPISS ISS RealSecureRealSecureISS ISS ProventiaProventiaISS ISS BlackICEBlackICE SentrySentryCisco Secure IDS Cisco Secure IDS SNORT IDSSNORT IDSEnterasysEnterasys Dragon Dragon Nortel Threat Protection System (TPS)Nortel Threat Protection System (TPS)Intrusion's Intrusion's SecureNetProSecureNetProMirage NetworksMirage NetworksNFR NID NFR NID Symantec Symantec ManHuntManHuntForeScoutForeScout ActiveScoutActiveScoutQRadarQRadarTop Layer Attack Top Layer Attack MitigatorMitigatorLabreaLabrea TarPitTarPitIP AngelIP AngelLancopeLancope StealthWatchStealthWatchTipping Point Tipping Point UnityOneUnityOne NDSNDSArbor Networks Arbor Networks PeakflowXPeakflowXMazuMazu NetworksNetworksHostHost--based Intrusion Detect/Preventionbased Intrusion Detect/PreventionCisco CSACisco CSANFR HID NFR HID SanaSanaSnareSnareSymantec Intruder Alert (ITA)Symantec Intruder Alert (ITA)Sygate Secure EnterpriseSygate Secure EnterpriseTripwire Tripwire ISS RealSecureISS RealSecureMcAfee McAfee EnterceptEnterceptPowerTech PowerTech PzowerLockPzowerLock/Interact (/Interact (iSeriesiSeries))zOSzOS IDSIDSVPNVPNJuniper SSL VPNJuniper SSL VPNNortel VPN Router (Contivity)Nortel VPN Router (Contivity)Check PointCheck PointCisco IOS VPNCisco IOS VPNCisco VPN 3000Cisco VPN 3000Juniper VPNJuniper VPNNortel VPN Gateway (SSL VPNNortel VPN Gateway (SSL VPN))
FirewallsFirewallsCheck Point FirewallCheck Point Firewall--1 1 Cisco PIX Cisco PIX CyberGuardCyberGuardFortinet FortiGateFortinet FortiGateGNATBoxGNATBoxJuniper (Juniper (NetscreenNetscreen))Linux IP Tables Linux IP Tables Lucent Brick Lucent Brick Microsoft ISA ServerMicrosoft ISA ServerNortel Switched FirewallNortel Switched FirewallStonesoft's StoneGate Stonesoft's StoneGate Secure Computing's Sidewinder Secure Computing's Sidewinder Symantec's Enterprise FirewallSymantec's Enterprise FirewallSonicWALLSonicWALLSun SunScreenSun SunScreen
Vulnerability AssessmentVulnerability AssessmentNessusNessusVigilanteVigilanteISS Internet ScannerISS Internet ScannerQualysGuardQualysGuardFoundstoneFoundstoneeEye Retina, REMeEye Retina, REMSPI Dynamics WebInspectSPI Dynamics WebInspectnCircle IP360nCircle IP360Harris STATHarris STATTenable LightningTenable Lightning
Routers/SwitchesRouters/SwitchesCisco Routers Cisco Routers Cisco Catalyst Switches Cisco Catalyst Switches Cisco RCMDCisco RCMDFoundry SwitchesFoundry SwitchesF5 Big IP, 3F5 Big IP, 3--DNSDNSJuniper Juniper JunOSJunOSTACACS / TACACS+TACACS / TACACS+Nortel Ethernet Routing Switch Nortel Ethernet Routing Switch 5500, 8300, 8600, 400 series5500, 8300, 8600, 400 seriesExtreme NetworksExtreme Networks
Policy CompliancePolicy ComplianceVericeptVericept
Tivoli Security Operations ManagerSimple•Can be installed on a single computer in less than an hour / POC in ½ a day•Agentless architecture•Statistical correlation works with little tuning
Scalable•Several customers with over 1,000 events per second (up to 5000 peak)•Rated to 10,000 eps in the lab•MSSP / Carrier Class
Solution•Log aggregation and storage•Reporting on existence and effectiveness of internal controls •Real-time monitoring of internal controls•Incident response plan•SOC/NOC integration
Incident Response OverviewIncident Status Overview by SeverityTotal Incident Volume by SeverityMean Time to Incident Acknowledgement Mean Time to Incident Resolution
Detailed Monitoring OverviewGeneral Event Activity by WatchlistTop 10 Attacking HostsTop 10 Targeted HostsTop 10 Attacked ServicesTop 10 Policy Violations
SOX-specific User Access OverviewAnomalous Failed LoginsSuccessful Data Access by UserUnauthorized Data Access by UserPolicy Violations by User
Vulnerability Remediation OverviewVulnerability Status Overview by SeverityMean Time to Remediation by Netblock
Sarbanes-Oxley ExampleTSOM – Compliance Reporting
“With neuSECURE [TSOM], we have reduced the average time we spend investigating and responding to an attack from 30 minutes to less than three (3) minutes. This can mean the difference between stopping an attacker and suffering the consequences of a security breach. In our business, that is the difference between keeping and losing a customer.” – MSSP
TSOM – Closing the Incident Management Loop
The Converged SOC/NOC
Transcends IT silos ( NOC/SOC/Help Desk) Requires convergence at:
- Organizational level (i.e. common first level response)- System level (i.e. integrated ticketing and workflow)- Asset level (i.e. shared sensors and criticality information)
Requires responses based on the business impact, not causeImproves problem resolution and time to mitigation
The end goal for both IT and security operations is business and service assurance
TSOM Operational IntegrationCorrelated security events to Netcool/OMNIbus & Tivoli
Enterprise ConsoleAutomated escalation, or operator driven forwardingCritical event or critical host details
Universal Collection LayerLeverage Omnibus collection of Syslog or SNMP based data into TSOM for security analysis
TSOM support for Netcool SSMs (shipping today)TSOM support for Netcool/Portal product (PIM near
completion) for integrated solutionsTSOM support for TIM and TAM
Near Future Operational IntegrationSupport for Tivoli Security Compliance ManagerAdditional platform support
OS, iSeriesAdditional application support
DB2, SOA/XML via DataPower appliance, Lotus DominoNew asset database will provide foundation for TADDM and
CCMDB
Tivoli Security Operations ManagerSimple•Can be installed on a single computer in less than an hour / POC in ½ a day•Agentless architecture•Statistical correlation works with little tuning
Scalable•Several customers with over 1,000 events per second (up to 5000 peak)•Rated to 10,000 eps in the lab•MSSP / Carrier Class
Solution•Log aggregation and storage•Reporting on existence and effectiveness of internal controls •Real-time monitoring of internal controls•Incident response plan•SOC/NOC integration
Superior Incident Recognition CapabilitiesSupports and Streamlines Incident ManagementSuperior Multi-Domain SOC ArchitectureSolution-oriented ApproachRapid ImplementationLess on-going Professional Services costsNetcool SOC integrated with Netcool NOC
Why Tivoli Security Operations Manager
Thank you!
Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.UNIX is a registered trademark of The Open Group in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States and other countries.Other company, product, or service names may be trademarks or service marks of others.ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.